[GitHub] [ozone] neils-dev commented on a diff in pull request #4654: HDDS-8521. Fix SCM certificate count check during OM & Datanode startup.

Thu, 04 May 2023 09:34:31 -0700 


neils-dev commented on code in PR #4654:
URL: https://github.com/apache/ozone/pull/4654#discussion_r1185248051


##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HAUtils.java:
##########
@@ -489,7 +489,7 @@ private static List<String> waitForCACerts(
     // For now when Client of SCM's are started we compare their node list
     // size and ca list size if it is as expected, we return the ca list.
     List<String> caCertPemList = applyFunction.get();
-    boolean caListUpToDate = caCertPemList.size() == expectedCount;
+    boolean caListUpToDate = caCertPemList.size() >= expectedCount;

Review Comment:
    Thanks @nandakumar131 .  In PR #4622, I checked the expectedCount to the 
number of unique subject CN of the certificate (unique hosts) and then issued a 
warning if the number of certs was greater indicating to the user to revoke 
unnecessarily certs - we can do it here if useful warn:
   
https://github.com/apache/ozone/blob/db789052b967eea48c01389030c3cd20f6c6a1c6/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HAUtils.java#L528



##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HAUtils.java:
##########
@@ -489,7 +489,7 @@ private static List<String> waitForCACerts(
     // For now when Client of SCM's are started we compare their node list
     // size and ca list size if it is as expected, we return the ca list.
     List<String> caCertPemList = applyFunction.get();
-    boolean caListUpToDate = caCertPemList.size() == expectedCount;
+    boolean caListUpToDate = caCertPemList.size() >= expectedCount;

Review Comment:
   In the PR #4622, the certificate validation is done by checking the 
`expectedCount `to the number of unique certificate subject CNs (hosts).  It 
may provide a refined validation check.  Either is fine. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to